什麼是 Azure Active Directory 條件式存取的位置條件?What is the location condition in Azure Active Directory Conditional Access?

具有Azure Active Directory (Azure AD) 條件式存取,您可以控制如何授權的使用者可以存取您雲端應用程式。With Azure Active Directory (Azure AD) Conditional Access, you can control how authorized users can access your cloud apps. 條件式存取原則的位置條件可讓您將繫結至您的使用者的網路位置的存取控制設定。The location condition of a Conditional Access policy enables you to tie access controls settings to the network locations of your users.

本文提供設定位置條件所需的資訊。This article provides you with the information you need to configure the location condition.

位置Locations

Azure AD 可讓單一登入裝置、 應用程式,並從任何位置服務在公用網際網路上。Azure AD enables single sign-on to devices, apps, and services from anywhere on the public internet. 使用位置條件,您可以根據使用者的網路位置來控制雲端應用程式的存取。With the location condition, you can control access to your cloud apps based on the network location of a user. 位置條件的常見使用案例如下:Common use cases for the location condition are:

  • 針對從公司網路外存取服務的使用者要求使用多重要素驗證。Requiring multi-factor authentication for users accessing a service when they are off the corporate network.
  • 封鎖從特定國家或地區存取服務之使用者的存取權。Blocking access for users accessing a service from specific countries or regions.

位置是其中一個代表具名的位置或多重要素驗證信任 Ip 的網路位置的標籤。A location is a label for a network location that either represents a named location or multi-factor authentication Trusted IPs.

具名位置Named locations

使用具名位置,您可以建立 IP 位址範圍或國家/地區和區域的邏輯群組。With named locations, you can create logical groupings of IP address ranges or countries and regions.

您可以存取您在中的具名的位置管理條件式存取 頁面的區段。You can access your named locations in the Manage section of the Conditional Access page.

條件式存取中的具名的位置

具名位置具有下列元件:A named location has the following components:

建立新的具名位置

  • 名稱 - 具名位置的顯示名稱。Name - The display name of a named location.

  • IP 範圍 - CIDR 格式的一或多個 IPv4 位址範圍。IP ranges - One or more IPv4 address ranges in CIDR format. 不支援指定的 IPv6 位址範圍。Specifying an IPv6 address range is not supported.

    注意

    IPv6 位址 rangess 目前不能包含具名位置中。IPv6 address rangess cannot currently be included in a named location. 無法從 條件式存取原則中排除此 measn IPv6 範圍。This measn IPv6 ranges cannot be excluded from a Conditional Access policy.

  • 標記為信任位置 - 您可以為具名位置設定旗標,以指出信任的位置。Mark as trusted location - A flag you can set for a named location to indicate a trusted location. 一般而言,信任的位置是由您的 IT 部門所控制的網路區域。Typically, trusted locations are network areas that are controlled by your IT department. 除了條件式存取,受信任的具名的位置也會使用 Azure Identity Protection 與 Azure AD 安全性報告來減少誤判In addition to Conditional Access, trusted named locations are also used by Azure Identity Protection and Azure AD security reports to reduce false positives.

  • 國家/地區 - 此選項可讓您選取一或多個國家或地區,以定義具名位置。Countries/Regions - This option enables you to select one or more country or region to define a named location.

  • 包括未知的區域-部分 IP 位址未對應至特定國家或地區。Include unknown areas - Some IP addresses are not mapped to a specific country or region. 此選項可讓您選擇這些 IP 位址是否應包含在具名位置中。This option allows you to choose if these IP addresses should be included in the named location. 當使用具名位置的原則應套用到未知位置時,請使用此設定。Use this setting when the policy using the named location should apply to unknown locations.

您可以設定的具名位置數目受到 Azure AD 中相關物件大小的限制。The number of named locations you can configure is constrained by the size of the related object in Azure AD. 您可以設定位置根據下列限制:You can configure locations based on of the following limitations:

  • 一個具名位置最多有 1200 個 IP 範圍。One named location with up to 1200 IP ranges.
  • 最多 90 個具名位置,每個位置皆指派一個 IP 範圍。A maximum of 90 named locations with one IP range assigned to each of them.

條件式存取原則適用於 IPv4 和 IPv6 流量。Conditional Access policy applies to IPv4 and IPv6 traffic. 目前具名的位置不允許設定的 IPv6 範圍。Currently named locations do not allow IPv6 ranges to be configured. 這項限制會導致下列情況:This limitation causes the following situations:

  • 條件式存取原則不能指向特定的 IPv6 範圍Conditional Access policy cannot be targeted to specific IPv6 ranges
  • 條件式存取原則不能排除特定的 IPV6 範圍Conditional Access policy cannot exclude specific IPV6 ranges

如果原則設定將套用至 「 任何位置 」,它會套用到 IPv4 和 IPv6 流量。If a policy is configured to apply to “Any location”, it will apply to IPv4 and IPv6 traffic. 具名的位置設定為指定的國家/地區和區域僅支援 IPv4 位址。Named locations configured for specified countries and regions only support IPv4 addresses. IPv6 流量才包含如果選取 [包含未知的區域] 的選項。IPv6 traffic is only included if the option to “include unknown areas” selected.

信任的 IPTrusted IPs

您也可以在多重要素驗證服務設定中設定代表您組織的近端內部網路的 IP 位址範圍。You can also configure IP address ranges representing your organization's local intranet in the multi-factor authentication service settings. 這項功能可讓您設定最多 50 個 IP 位址範圍。This feature enables you to configure up to 50 IP address ranges. IP 位址範圍是 CIDR 格式。The IP address ranges are in CIDR format. 如需詳細資訊,請參閱 < 信任的 IpFor more information, see Trusted IPs.

如果您有信任的 Ip 設定,它們會顯示為MFA 信任的 IP中的位置條件的位置清單。If you have Trusted IPs configured, they show up as MFA Trusted IPS in the list of locations for the location condition.

略過多重要素驗證Skipping multi-factor authentication

在多重要素驗證服務設定頁面中,您可以透過選取針對來自內部網路同盟使用者的要求略過多重要素驗證來識別公司內部網路使用者。On the multi-factor authentication service settings page, you can identify corporate intranet users by selecting Skip multi-factor authentication for requests from federated users on my intranet. 此設定表示 AD FS 所發出的內部公司網路宣告應受信任,並且應用來識別使用者位於公司網路上。This setting indicates that the inside corporate network claim, which is issued by AD FS, should be trusted and used to identify the user as being on the corporate network. 如需詳細資訊,請參閱 < 使用條件式存取啟用信任的 Ip 功能For more information, see Enable the Trusted IPs feature by using Conditional Access.

之後核取此選項,包括 具名的位置MFA 信任的 IP選取此選項會套用任何原則。After checking this option, including the named location MFA Trusted IPS will apply to any policies with this option selected.

對於行動裝置和桌上型電腦的應用程式,具有長工作階段存留期,條件式存取會定期重新評估。For mobile and desktop applications, which have long lived session lifetimes, Conditional Access is periodically reevaluated. 預設值是一小時一次。The default is once an hour. 當只有在初始驗證才會發出位於公司網路內宣告時,Azure AD 可能不會有可信任 IP 範圍清單。When the inside corporate network claim is only issued at the time of the initial authentication, Azure AD may not have a list of trusted IP ranges. 在此情況下,較難判斷使用者是否仍在公司網路上:In this case, it is more difficult to determine if the user is still on the corporate network:

  1. 檢查使用者的 IP 位址是否在其中一個信任的 IP 範圍內。Check if the user’s IP address is in one of the trusted IP ranges.
  2. 檢查使用者的 IP 位址的前三個八位元是否符合初始驗證的 IP 位址的前三個八位元。Check whether the first three octets of the user’s IP address match the first three octets of the IP address of the initial authentication. IP 位址相較於初始驗證時的內部公司網路宣告原來所發出,且已驗證使用者的位置。The IP address is compared with the initial authentication when the inside corporate network claim was originally issued and the user location was validated.

如果這兩個步驟均失敗,會將使用者視為不再位於信任的 IP。If both steps fail, a user is considered to be no longer on a trusted IP.

位置條件組態Location condition configuration

當您設定位置條件時,您可以區別:When you configure the location condition, you have the option to distinguish between:

  • 任何位置Any location
  • 所有信任的位置All trusted locations
  • 選取的位置Selected locations

位置條件組態

任何位置Any location

根據預設,選取 [任何位置] 會將原則套用到所有 IP 位址,而這意味著網際網路上的所有位址。By default, selecting Any location causes a policy to be applied to all IP addresses, which means any address on the Internet. 這項設定不限於您已設為具名位置的 IP 位址。This setting is not limited to IP addresses you have configured as named location. 當您選取 [任何位置] 時,您仍然可以從原則中排除特定位置。When you select Any location, you can still exclude specific locations from a policy. 例如,您可以將原則套用到受信任位置以外的所有位置,以將範圍設為公司網路以外的所有位置。For example, you can apply a policy to all locations except trusted locations to set the scope to all locations, except the corporate network.

所有信任的位置All trusted locations

此選項適用範圍:This option applies to:

  • 已標示為信任的位置的所有位置All locations that have been marked as trusted location
  • MFA 信任的 IP (若已設定)MFA Trusted IPS (if configured)

選取的位置Selected locations

使用此選項,您可以選取一或多個具名位置。With this option, you can select one or more named locations. 將套用的原則若有此設定,使用者必須從任一選取的位置連線。For a policy with this setting to apply, a user needs to connect from any of the selected locations. 當您按一下 [選取] 時,顯示具名網路清單的具名網路選取控制項隨即開啟。When you click Select the named network selection control that shows the list of named networks opens. 此清單也會顯示網路位置是否已標示為受信任。The list also shows if the network location has been marked as trusted. 稱為 [MFA 信任的 IP] 的具名位置是用來包含可在多重要素驗證服務設定頁面中設定的 IP 設定。The named location called MFA Trusted IPs is used to include the IP settings that can be configured in the multi-factor authentication service setting page.

您應該知道的事情What you should know

何時會評估位置?When is a location evaluated?

評估條件式存取原則時:Conditional Access policies are evaluated when:

  • 使用者初次登入 Web 應用程式、行動或桌面應用程式。A user initially signs in to a web app, mobile or desktop application.
  • 使用新式驗證的行動或桌面應用程式使用重新整理權杖來取得新的存取權杖。A mobile or desktop application that uses modern authentication, uses a refresh token to acquire a new access token. 依預設這項檢查一次是一小時。By default this check is once an hour.

此核取記號表示適用於行動裝置和桌面應用程式使用新式驗證的位置中的變更會偵測到的網路位置變更一小時內。This check means for mobile and desktop applications using modern authentication, a change in location would be detected within an hour of changing the network location. 對於不使用新式驗證的行動和桌面應用程式,此原則會套用至每個權杖要求。For mobile and desktop applications that don’t use modern authentication, the policy is applied on each token request. 要求頻率會隨應用程式而異。The frequency of the request can vary based on the application. 同樣地,針對 Web 應用程式,此原則會在初始登入時套用,且適用於 Web 應用程式工作階段的存留期。Similarly, for web applications, the policy is applied at initial sign-in and is good for the lifetime of the session at the web application. 由於跨應用程式之工作階段存留期的差異,所以原則評估之間的時間也會不同。Due to differences in session lifetimes across applications, the time between policy evaluation will also vary. 每次應用程式要求新的登入權杖時,就會套用此原則。Each time the application requests a new sign-in token, the policy is applied.

根據預設,Azure AD 每小時會發出一個權杖。By default, Azure AD issues a token on an hourly basis. 在移出公司網路後,一小時內就會使用新式驗證針對應用程式強制執行原則。After moving off the corporate network, within an hour the policy is enforced for applications using modern authentication.

使用者 IP 位址User IP address

使用於原則評估的 IP 位址是使用者的公用 IP 位址。The IP address that is used in policy evaluation is the public IP address of the user. 如在私人網路上的裝置,此 IP 位址不是內部網路上的使用者裝置的用戶端 IP,它是用來連接到公用網際網路的網路位址。For devices on a private network, this IP address is not the client IP of the user’s device on the intranet, it is the address used by the network to connect to the public internet.

警告

如果您的裝置有只具有 IPv6 位址,不支援設定位置條件。If your device has only an IPv6 address, configuring the location condition is not supported.

大量上傳與下載具名位置Bulk uploading and downloading of named locations

當您建立或更新具名位置時,您可以上傳或下載包含 IP 範圍的 CSV 檔案來進行大量更新。When you create or update named locations, for bulk updates, you can upload or download a CSV file with the IP ranges. 上傳會使用檔案中的 IP 範圍取代清單中的 IP 範圍。An upload replaces the IP ranges in the list with those from the file. 檔案的每個資料列均包含一個 CIDR 格式的 IP 位址範圍。Each row of the file contains one IP Address range in CIDR format.

雲端 Proxy 和 VPNCloud proxies and VPNs

當您使用雲端託管 Proxy 或 VPN 解決方案時,Azure AD 在評估原則時使用的 IP 位址為 Proxy 的 IP 位址。When you use a cloud hosted proxy or VPN solution, the IP address Azure AD uses while evaluating a policy is the IP address of the proxy. 不會使用包含使用者公用 IP 位址的 X-Forwarded-For (XFF) 標頭,因為無法驗證它來自受信任的來源,故會提供偽造 IP 位址的方法。The X-Forwarded-For (XFF) header that contains the user’s public IP address is not used because there is no validation that it comes from a trusted source, so would present a method for faking an IP address.

當雲端 Proxy 已就緒時,就能使用用來要求已加入網域之裝置的原則或來自 AD FS 的內部公司網路宣告。When a cloud proxy is in place, a policy that is used to require a domain joined device can be used, or the inside corpnet claim from AD FS.

API 支援與 PowerShellAPI support and PowerShell

API 和 PowerShell 尚未支援具名位置,或條件式存取原則。API and PowerShell is not yet supported for named locations, or for Conditional Access policies.

後續步驟Next steps